On Thu, 13 Feb 2003, siivv wrote:
> On Wed, 12 Feb 2003, pf-list wrote: > > > For the life of me I couldn't figure out why my logs were filling so fast > > and yet there were only a few packets actually in them. When I listened > > to pflog0 I found 1000s of dhcp server broadcasts that were being blocked > > as par my ruleset (block that which I didn't request.) > > I analyze my logs by the following: > > tcpdump -ttt -n -e -r /var/log/pflog > > > > Yet the dhcp from port 67 to port 68 messages don't appear in my tcpdump > > of the log. The rule I ended up adding to stop the blocking of the > > packets is the following: > > pass in quick on xl0 proto udp from 10.33.160.1 port 67 to any port 68 > > > > But for some reason the tcpdump doesn't show the packets in /var/log/pflog > > > you are missing the log param > pass in quick log on x10 proto... No that rule was written intetionally so that the packets would no longer be blocked. However, I still should have been able to see the packets via tcpdumping /var/log/pflog and I never could. The only reason I discovered my logs were filling so fast was running ethereal on pflog0. With the new rule in place instead of my logs filling and rotating about twice a day they fill and rotate about once per week. So where were the packets, why couldn't I see them via tcpdump of pflog? > > > > Is this a bug or am I confused or doing something improperly? > > > > -quel > > > > > >
